ret = pa_enc_ts_decrypt_kvno(r, kvno, &enc_data, &ts_data, &pa_key);
if (ret == KRB5KDC_ERR_ETYPE_NOSUPP) {
char *estr;
- _kdc_set_e_text(r, "No key matching entype");
+ _kdc_set_e_text(r, "No key matching enctype");
if(krb5_enctype_to_string(r->context, enc_data.etype, &estr))
estr = NULL;
if(estr == NULL)
kvno);
goto out;
}
+
if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
krb5_error_code ret2;
const char *msg = krb5_get_error_message(r->context, ret);
krb5_data_free(&ts_data);
if(ret){
ret = KRB5KDC_ERR_PREAUTH_FAILED;
- _kdc_r_log(r, 4, "Failed to decode PA-ENC-TS_ENC -- %s",
+ _kdc_r_log(r, 4, "Failed to decode PA-ENC-TS-ENC -- %s",
r->cname);
goto out;
}
}
/*
- * Return 0 if the client have only older enctypes, this is for
+ * Return 0 if the client has only older enctypes, this is for
* determining if the server should send ETYPE_INFO2 or not.
*/
if(r->client->flags.postdate && r->server->flags.postdate)
r->et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
- _kdc_set_e_text(r, "Ticket may not be postdate");
+ _kdc_set_e_text(r, "Ticket may not be postdateable");
ret = KRB5KDC_ERR_POLICY;
goto out;
}
_kdc_fix_time(&b->till);
t = *b->till;
- /* be careful not overflowing */
+ /* be careful not to overflow */
/*
* Pre-auth can override r->client->max_life if configured.
}
/*
- * Check and session and reply keys
+ * Check session and reply keys
*/
if (r->session_key.keytype == ETYPE_NULL) {
}
if (r->reply_key.keytype == ETYPE_NULL) {
- _kdc_set_e_text(r, "Client have no reply key");
+ _kdc_set_e_text(r, "Client has no reply key");
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
goto out;
/*
- * Check if message too large
+ * Check if message is too large
*/
if (r->datagram_reply && r->reply->length > config->max_datagram_reply_length) {
krb5_data_free(r->reply);
break;
if(i == b->etype.len) {
kdc_log(context, config, 4,
- "Addition ticket have not matching etypes");
+ "Addition ticket has no matching etypes");
krb5_clear_error_message(context);
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
kdc_audit_addreason((kdc_request_t)priv,
}
/*
- * If the client sent more then 10 EDI, don't bother
- * looking more then 10 of performance reasons.
+ * If the client sent more than 10 EDIs, don't bother
+ * looking at more than 10 for performance reasons.
*/
maxedi = edi->len;
if (maxedi > 10)
*kdc_cert = NULL;
/*
- * If the message client is a win2k-type but it send pa data
+ * If the message client is a win2k-type but it sends pa data
* 09-binding it expects a IETF (checksum) reply so there can be
* no replay attacks.
*/
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
} else if (ocsp.expire > 180) {
- ocsp.expire -= 180; /* refetch the ocsp before it expire */
+ ocsp.expire -= 180; /* refetch the ocsp before it expires */
ocsp.next_update = ocsp.expire;
} else {
ocsp.next_update = kdc_time;
if (strcmp(*subject_name, acl->val[0].subject) != 0)
continue;
- /* Don't support isser and anchor checking right now */
+ /* Don't support issuer and anchor checking right now */
if (acl->val[0].issuer)
continue;
if (acl->val[0].anchor)
NP_("use this credential cache as FAST armor cache", ""), "cache" },
{ "use-referrals", 0, arg_flag, &use_referrals_flag,
- NP_("only use referrals, no dns canalisation", ""), NULL },
+ NP_("only use referrals, no dns canonicalisation", ""), NULL },
{ "windows", 0, arg_flag, &windows_flag,
NP_("get windows behavior", ""), NULL },
/* NUL-terminate for rk_base64_decode() and plain paranoia */
if (p0 != NULL && p == pend) {
/*
- * Work out how far p is into p0 to re-esablish p after
+ * Work out how far p is into p0 to re-establish p after
* the realloc()
*/
size_t p0_to_pend_len = (pend - p0);
return 0;
/*
- * check for unknown extensions and if they where tagged mandatory
+ * check for unknown extensions and if they were tagged mandatory
*/
for (i = 0; i < ent->extensions->len; i++) {
continue;
if (ent->extensions->val[i].mandatory) {
krb5_set_error_message(context, HDB_ERR_MANDATORY_OPTION,
- "Principal have unknown "
+ "Principal has unknown "
"mandatory extension");
return HDB_ERR_MANDATORY_OPTION;
}
if (new_kr->base_kvno <= last_kvno) {
krb5_set_error_message(context, EINVAL,
"New key rotation base kvno must be larger "
- "the last kvno for the current key "
+ "than the last kvno for the current key "
"rotation (%u)", last_kvno);
return EINVAL;
}
((kr->epoch - prev_kr->epoch) / prev_kr->period))) {
krb5_set_error_message(context, EINVAL,
"New key rotation base kvno must be larger "
- "the last kvno for the current key "
+ "than the last kvno for the current key "
"rotation (%u)", last_kvno);
return EINVAL;
}
/**
* Selects if the hx509_revoke_verify() function is going to require
- * the existans of a revokation method (OCSP, CRL) or not. Note that
- * hx509_verify_path(), hx509_cms_verify_signed(), and other function
+ * the existence of a revocation method (OCSP, CRL) or not. Note that
+ * hx509_verify_path(), hx509_cms_verify_signed(), and other functions
* call hx509_revoke_verify().
*
* @param context hx509 context to change the flag for.
- * @param flag zero, revokation method required, non zero missing
- * revokation method ok
+ * @param flag zero, revocation method required, non zero missing
+ * revocation method ok
*
* @ingroup hx509_verify
*/
}
/**
- * Allocate an verification context that is used fo control the
+ * Allocate an verification context that is used to control the
* verification process.
*
* @param context A hx509 context.
ret = add_to_list(list, &sa.val[j].u.otherName.value);
if (ret) {
hx509_set_error_string(context, 0, ret,
- "Error adding an exra SAN to "
+ "Error adding an extra SAN to "
"return list");
hx509_free_octet_string_list(list);
free_GeneralNames(&sa);
/*
* The subject name of the proxy certificate should be
- * CN=XXX,<proxy issuer>, prune of CN and check if its
+ * CN=XXX,<proxy issuer>. Prune off CN and check if it's
* the same over the whole chain of proxy certs and
* then check with the EE cert when we get to it.
*/
} else {
/*
* Now we are done with the proxy certificates, this
- * cert was an EE cert and we we will fall though to
+ * cert was an EE cert and we will fall though to
* EE checking below.
*/
type = EE_CERT;
HEIM_FALLTHROUGH;
case EE_CERT:
/*
- * If there where any proxy certificates in the chain
+ * If there were any proxy certificates in the chain
* (proxy_cert_depth > 0), check that the proxy issuer
- * matched proxy certificates "base" subject.
+ * matched the proxy certificate's "base" subject.
*/
if (proxy_cert_depth) {
}
/*
- * Verify that no certificates has been revoked.
+ * Verify that no certificates have been revoked.
*/
if (ctx->revoke_ctx) {
goto out;
}
/*
- * Verify that the sigature algorithm is not weak. Ignore
+ * Verify that the signature algorithm is not weak. Ignore
* trust anchors since they are provisioned by the user.
*/
* @param signer the certificate that made the signature.
* @param alg algorthm that was used to sign the data.
* @param data the data that was signed.
- * @param sig the sigature to verify.
+ * @param sig the signature to verify.
*
* @return An hx509 error code, see hx509_get_error_string().
*
* @param in the encoded buffer.
* @param oid type of the content.
* @param out data to be wrapped.
- * @param have_data since the data is optional, this flags show dthe
- * diffrence between no data and the zero length data.
+ * @param have_data since the data is optional, this flag shows the
+ * difference between no data and the zero length data.
*
* @return Returns an hx509 error code.
*
break;
}
default:
- ret = asprintf(str, "certificate have unknown CMSidentifier type");
+ ret = asprintf(str, "certificate has unknown CMSidentifier type");
break;
}
/*
/**
* Decode and unencrypt EnvelopedData.
*
- * Extract data and parameteres from from the EnvelopedData. Also
+ * Extract data and parameters from the EnvelopedData. Also
* supports using detached EnvelopedData.
*
* @param context A hx509 context.
* EnvelopedData stucture.
* @param length length of the data that data point to.
* @param encryptedContent in case of detached signature, this
- * contains the actual encrypted data, othersize its should be NULL.
+ * contains the actual encrypted data, otherwise it should be NULL.
* @param time_now set the current time, if zero the library uses now as the date.
* @param contentType output type oid, should be freed with der_free_oid().
* @param content the data, free with der_free_octet_string().
hx509_cert_free(cert);
if (ret == 0)
- break; /* succuessfully decrypted cert */
+ break; /* successfully decrypted cert */
cert = NULL;
ret2 = unparse_CMSIdentifier(context, &ri->rid, &str);
if (ret2 == 0) {
}
/**
- * Encrypt end encode EnvelopedData.
+ * Encrypt and encode EnvelopedData.
*
* Encrypt and encode EnvelopedData. The data is encrypted with a
* random key and the the random key is encrypted with the
- * certificates private key. This limits what private key type can be
+ * certificate's private key. This limits what private key type can be
* used to RSA.
*
* @param context A hx509 context.
* @param flags flags to control the behavior.
* - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate
- * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
+ * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crypto
* - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
* @param cert Certificate to encrypt the EnvelopedData encryption key
* with.
*
* @param context A hx509 context.
* @param ctx a hx509 verify context.
- * @param flags to control the behaivor of the function.
+ * @param flags to control the behavior of the function.
* - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
* - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
* - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
* @param data pointer to CMS SignedData encoded data.
- * @param length length of the data that data point to.
+ * @param length length of the data that data points to.
* @param signedContent external data used for signature.
* @param pool certificate pool to build certificates paths.
* @param contentType free with der_free_oid().
* - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
* - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
* @param data pointer to CMS SignedData encoded data.
- * @param length length of the data that data point to.
+ * @param length length of the data that data points to.
* @param signedContent external data used for signature.
* @param pool certificate pool to build certificates paths.
* @param contentType free with der_free_oid().
ret = HX509_CMS_MISSING_SIGNER_DATA;
hx509_set_error_string(context, 0, ret,
"SignerInfo %zu in SignedData "
- "missing sigature", i);
+ "missing signature", i);
continue;
}
sa.val = signer_info->signedAttrs->val;
sa.len = signer_info->signedAttrs->len;
- /* verify that sigature exists */
+ /* verify that signature exists */
attr = find_attribute(&sa, &asn1_oid_id_pkcs9_messageDigest);
if (attr == NULL) {
ret = HX509_CRYPTO_SIGNATURE_MISSING;
hx509_set_error_string(context, 0, ret,
- "SignerInfo have signed attributes "
+ "SignerInfo has signed attributes "
"but messageDigest (signature) "
"is missing");
- goto next_sigature;
+ goto next_signature;
}
if (attr->value.len != 1) {
ret = HX509_CRYPTO_SIGNATURE_MISSING;
hx509_set_error_string(context, 0, ret,
- "SignerInfo have more then one "
+ "SignerInfo has more than one "
"messageDigest (signature)");
- goto next_sigature;
+ goto next_signature;
}
ret = decode_MessageDigest(attr->value.val[0].data,
hx509_set_error_string(context, 0, ret,
"Failed to decode "
"messageDigest (signature)");
- goto next_sigature;
+ goto next_signature;
}
ret = _hx509_verify_signature(context,
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
"Failed to verify messageDigest");
- goto next_sigature;
+ goto next_signature;
}
/*
if (attr->value.len != 1) {
ret = HX509_CMS_DATA_OID_MISMATCH;
hx509_set_error_string(context, 0, ret,
- "More then one oid in signedAttrs");
- goto next_sigature;
+ "More than one oid in signedAttrs");
+ goto next_signature;
}
ret = decode_ContentType(attr->value.val[0].data,
hx509_set_error_string(context, 0, ret,
"Failed to decode "
"oid in signedAttrs");
- goto next_sigature;
+ goto next_signature;
}
match_oid = &decode_oid;
}
if (match_oid == &decode_oid)
der_free_oid(&decode_oid);
hx509_clear_error_string(context);
- goto next_sigature;
+ goto next_signature;
}
if (size != signed_data.length)
_hx509_abort("internal ASN.1 encoder error");
signed_data.data = NULL;
}
if (ret)
- goto next_sigature;
+ goto next_signature;
/**
* If HX509_CMS_VS_NO_VALIDATE flags is set, return the signer
found_valid_sig++;
}
- next_sigature:
+ next_signature:
if (cert)
hx509_cert_free(cert);
cert = NULL;
}
/**
* If HX509_CMS_VS_ALLOW_ZERO_SIGNER is set, allow empty
- * SignerInfo (no signatures). If SignedData have no signatures,
+ * SignerInfo (no signatures). If SignedData has no signatures,
* the function will return 0 with signer_certs set to NULL. Zero
- * signers is allowed by the standard, but since its only useful
- * in corner cases, it make into a flag that the caller have to
+ * signers is allowed by the standard, but since it's only useful
+ * in corner cases, it's made into a flag that the caller has to
* turn on.
*/
if (sd.signerInfos.len == 0 && (flags & HX509_CMS_VS_ALLOW_ZERO_SIGNER)) {
if (ret == 0) {
ret = HX509_CMS_SIGNER_NOT_FOUND;
hx509_set_error_string(context, 0, ret,
- "No signers where found");
+ "No signers were found");
}
goto out;
}
* @param flags
* @param eContentType the type of the data.
* @param data data to sign
- * @param length length of the data that data point to.
+ * @param length length of the data that data points to.
* @param digest_alg digest algorithm to use, use NULL to get the
* default or the peer determined algorithm.
- * @param cert certificate to use for sign the data.
+ * @param cert certificate to use for signing the data.
* @param peer info about the peer the message to send the message to,
* like what digest algorithm to use.
* @param anchors trust anchors that the client will use, used to
goto error;
}
if (siglen > sig->length)
- _hx509_abort("ECDSA signature prelen longer the output len");
+ _hx509_abort("ECDSA signature prelen longer than output len");
sig->length = siglen;
memmove((uint8_t *)sig->data + size, sig->data, ret);
memset(sig->data, 0, size);
} else if (sig->length < (size_t)ret)
- _hx509_abort("RSA signature prelen longer the output len");
+ _hx509_abort("RSA signature prelen longer than output len");
return 0;
}
if (sig->length != sigsize || sigsize > sizeof(digest)) {
hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
- "SHA256 sigature have wrong length");
+ "SHA256 sigature has wrong length");
return HX509_CRYPTO_SIG_INVALID_FORMAT;
}
prefix HX509
error_code CRL_USED_BEFORE_TIME, "CRL used before it became valid"
error_code CRL_USED_AFTER_TIME, "CRL used after it became invalid"
-error_code CRL_INVALID_FORMAT, "CRL have invalid format"
+error_code CRL_INVALID_FORMAT, "CRL has invalid format"
error_code CERT_REVOKED, "Certificate is revoked"
error_code REVOKE_STATUS_MISSING, "No revoke status found for certificates"
error_code CRL_UNKNOWN_EXTENSION, "Unknown extension"
hx509_name *name)
{
if (req->name == NULL) {
- hx509_set_error_string(context, 0, EINVAL, "Request have no name");
+ hx509_set_error_string(context, 0, EINVAL, "Request has no name");
return EINVAL;
}
return hx509_name_copy(context, req->name, name);
};
/**
- * Allocate a revokation context. Free with hx509_revoke_free().
+ * Allocate a revocation context. Free with hx509_revoke_free().
*
* @param context A hx509 context.
- * @param ctx returns a newly allocated revokation context.
+ * @param ctx returns a newly allocated revocation context.
*
* @return An hx509 error code, see hx509_get_error_string().
*
}
/**
- * Free a hx509 revokation context.
+ * Free a hx509 revocation context.
*
* @param ctx context to be freed
*
goto out;
/*
- * If signer certificate isn't the CA certificate, lets check the
- * it is the CA that signed the signer certificate and the OCSP EKU
+ * If signer certificate isn't the CA certificate, let's check that
+ * it is the CA that signed the signer certificate and that the OCSP EKU
* is set.
*/
if (hx509_cert_cmp(signer, parent) != 0) {
}
/**
- * Add a OCSP file to the revokation context.
+ * Add a OCSP file to the revocation context.
*
* @param context hx509 context
- * @param ctx hx509 revokation context
+ * @param ctx hx509 revocation context
* @param path path to file that is going to be added to the context.
*
* @return An hx509 error code, see hx509_get_error_string().
if (strncmp(path, "FILE:", 5) != 0) {
hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
- "unsupport type in %s", path);
+ "unsupported type in %s", path);
return HX509_UNSUPPORTED_OPERATION;
}
/*
* If signer is not CA cert, need to check revoke status of this
* CRL signing cert too, this include all parent CRL signer cert
- * up to the root *sigh*, assume root at least hve CERTSIGN flag
+ * up to the root *sigh*, assume root at least has CERTSIGN flag
* set.
*/
while (_hx509_check_key_usage(context, signer, 1 << 5, TRUE)) {
}
/**
- * Add a CRL file to the revokation context.
+ * Add a CRL file to the revocation context.
*
* @param context hx509 context
- * @param ctx hx509 revokation context
+ * @param ctx hx509 revocation context
* @param path path to file that is going to be added to the context.
*
* @return An hx509 error code, see hx509_get_error_string().
}
/**
- * Check that a certificate is not expired according to a revokation
- * context. Also need the parent certificte to the check OCSP
+ * Check that a certificate is not expired according to a revocation
+ * context. Also need the parent certificate to check the OCSP
* parent identifier.
*
* @param context hx509 context
- * @param ctx hx509 revokation context
+ * @param ctx hx509 revocation context
* @param certs
* @param now
* @param cert
struct revoke_ocsp *ocsp = &ctx->ocsps.val[i];
struct stat sb;
- /* check this ocsp apply to this cert */
+ /* check if this ocsp applies to this cert */
/* check if there is a newer version of the file */
ret = stat(ocsp->path, &sb);
if (hx509_cert_cmp(ctx->parent, parent) != 0) {
ret = HX509_REVOKE_NOT_SAME_PARENT;
hx509_set_error_string(context, 0, ret,
- "Not same parent certifate as "
+ "Not same parent certificate as "
"last certificate in request");
goto out;
}
--missing-revoke \
--anchors=FILE:$srcdir/data/ca.crt \
sd.data sd.data.out 2> signer.tmp && exit 1
-grep "No signers where found" signer.tmp > /dev/null || exit 1
+grep "No signers were found" signer.tmp > /dev/null || exit 1
echo "create signed data (id-by-name)"
${hxtool} cms-create-sd \
"password_lifetime",
NULL);
- *(ent->pw_end) = time(NULL) + life;
+ if (life != 0)
+ *(ent->pw_end) = time(NULL) + life;
+ else {
+ free(ent->pw_end);
+ ent->pw_end = NULL;
+ }
}
return 0;
}
type = krb5_cc_get_type(context, id);
if (type == NULL) {
krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
- "cache have no name of type");
+ "cache has no name of type");
return KRB5_CC_UNKNOWN_TYPE;
}
name = krb5_cc_get_name(context, id);
if (name == NULL) {
krb5_set_error_message(context, KRB5_CC_BADNAME,
- "cache of type %s have no name", type);
+ "cache of type %s has no name", type);
return KRB5_CC_BADNAME;
}
* @param context Kerberos 5 context
* @param crypto1 first key to combine
* @param crypto2 second key to combine
- * @param pepper1 factor to combine with first key to garante uniqueness
- * @param pepper2 factor to combine with second key to garante uniqueness
+ * @param pepper1 factor to combine with first key to guarantee uniqueness
+ * @param pepper2 factor to combine with second key to guarantee uniqueness
* @param enctype the encryption type of the resulting key
* @param res allocated key, free with krb5_free_keyblock_contents()
*
#ifndef HEIMDAL_SMALLER
/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
+ * Deprecated: keytypes don't exist, they are really enctypes.
*
* @ingroup krb5_deprecated
*/
}
if (n == 0) {
krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
- "Keytype have no mapping");
+ "Keytype has no mapping");
return KRB5_PROG_KEYTYPE_NOSUPP;
}
}
/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
+ * Deprecated: keytypes don't exist, they are really enctypes.
*
* @ingroup krb5_deprecated
*/
if (key == NULL) {
ret = EINVAL;
krb5_set_error_message(context, ret,
- N_("Digest reply have no remote subkey", ""));
+ N_("Digest reply has no remote subkey", ""));
goto out;
}
ppaid = process_pa_info(context, ctx->cred.client, a, &paid, in_md);
/*
- * If we don't have ppaid, ts because the KDC have not sent any
- * salt info, lets to the first roundtrip so the KDC have a chance
- * to send any.
+ * If we don't have ppaid, it's because the KDC has not sent any
+ * salt info. Let's do the first roundtrip so the KDC has a chance
+ * to send some.
*/
if (ppaid == NULL) {
_krb5_debug(context, 5, "no ppaid found");
if (rep) {
/*
* Some KDC's don't send salt info in the reply when there is
- * success pre-auth happned before, so use cached copy (or
+ * success pre-auth happened before, so use cached copy (or
* even better, if there is just one pre-auth, save reply-key).
*/
if (ppaid == NULL && ctx->paid.etype != KRB5_ENCTYPE_NULL) {
}
/*
- * If we don't have ppaid, ts because the KDC have not sent any
- * salt info, lets to the first roundtrip so the KDC have a chance
- * to send any.
+ * If we don't have ppaid, it's because the KDC has not sent any
+ * salt info. Let's do the first roundtrip so the KDC has a chance
+ * to send some.
*
* Don't bother guessing, it sounds like a good idea until you run
* into KDCs that are doing failed auth counting based on the
* ENC_TS tries.
*
- * Stashing the salt for the next run is a diffrent issue and
+ * Stashing the salt for the next run is a different issue and
* could be considered in the future.
*/
/*
* We have to allow the KDC to re-negotiate the PA-TS data
- * once, this is since the in the case of a windows read only
+ * once, this is since a windows read only
* KDC that doesn't have the keys simply guesses what the
- * master is supposed to support. In the case where this
- * breaks in when the RO-KDC is a newer version the the RW-KDC
+ * master is supposed to support. The case where this
+ * breaks is when the RO-KDC is a newer version than the RW-KDC
* and the RO-KDC announced a enctype that the older doesn't
* support.
*/
*/
pa_restart_f restart;
/**
- * Return 0 if the when complete, HEIM_ERR_PA_CONTINUE_NEEDED if more steps are require
+ * Return 0 when complete, HEIM_ERR_PA_CONTINUE_NEEDED if more steps are required
*/
pa_step_f step;
pa_release_f release;
/* FIXME should generate a new nonce for each AS-REQ */
krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
ctx->nonce &= 0x7fffffff;
- /* XXX these just needs to be the same when using Windows PK-INIT */
+ /* XXX these just need to be the same when using Windows PK-INIT */
ctx->pk_nonce = ctx->nonce;
ctx->prompter = prompter;
ctx->keyproc = keytab_key_proc;
/*
- * We need to the KDC what enctypes we support for this keytab,
- * esp if the keytab is really a password based entry, then the
+ * We need to tell the KDC what enctypes we support for this keytab,
+ * especially if the keytab is really a password based entry, then the
* KDC might have more enctypes in the database then what we have
* in the keytab.
*/
found = 1;
- /* check if we ahve this kvno already */
+ /* check if we have this kvno already */
if (entry.vno > kvno) {
/* remove old list of etype */
if (etypes)
ref_realm);
/*
- * If its a krbtgt, lets updat the requested krbtgt too
+ * If its a krbtgt, lets update the requested krbtgt too
*/
if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
.Bl -tag -width "xxx" -offset indent
.It Li password_lifetime = Va time
If a principal already have its password set for expiration, this is
-the time it will be valid for after a change.
+the time it will be valid for after a change. A value of 0 will clear
+the password expiration after a successful password change.
.It Li default_keys = Va keytypes...
For each entry in
.Va default_keys
#index 85
#prefix KRB5_IAKERB
#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC"
-#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC"
+#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never received a response from a KDC"
index 90
error_code PREAUTH_EXPIRED, "Pre-authentication data expired"
/*
* Returns the size of the PACTYPE header + the PAC_INFO_BUFFER array. This is
* also the end of the whole thing, and any offsets to buffers from
- * thePAC_INFO_BUFFER[] entries have to be beyond it.
+ * the PAC_INFO_BUFFER[] entries have to be beyond it.
*/
static krb5_error_code
pac_header_size(krb5_context context, uint32_t num_buffers, uint32_t *result)
* http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
* for the same issue in MIT, and
* http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
- * for Microsoft's explaination */
+ * for Microsoft's explanation */
if (cksum.cksumtype == CKSUMTYPE_HMAC_MD5 && !strict_cksumtype_match) {
Checksum local_checksum;
ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
- "Failed to get on of the signer certs");
+ "Failed to get one of the signer certs");
goto out;
}
ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
/* XXX: Lost in translation... */
krb5_set_error_message(context, ret,
- N_("KDC have wrong realm name in "
+ N_("KDC has wrong realm name in "
"the certificate", ""));
}
}
ret = hx509_revoke_init(context->hx509ctx, &id->revokectx);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
- "Failed init revoke list");
+ "Failed to init revoke list");
goto out;
}
*revoke_list);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
- "Failed load revoke list");
+ "Failed to load revoke list");
goto out;
}
revoke_list++;
ret = hx509_verify_init_ctx(context->hx509ctx, &id->verify_ctx);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
- "Failed init verify context");
+ "Failed to init verify context");
goto out;
}
m1->bits = atoi(p1);
if (m1->bits == 0) {
krb5_set_error_message(context, ret,
- N_("moduli file %s have un-parsable "
+ N_("moduli file %s has un-parsable "
"bits on line %d", ""), file, lineno);
goto out;
}
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
N_("PKINIT: DH group parameter %s "
- "no accepted, not enough bits "
+ "not accepted, not enough bits "
"generated", ""),
moduli[i]->name);
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
- N_("PKINIT: DH group parameter no ok", ""));
+ N_("PKINIT: DH group parameter not ok", ""));
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
#endif /* PKINIT */
* Truncate the storage buffer in sp to offset.
*
* @param sp the storage buffer to truncate.
- * @param offset the offset to truncate too.
+ * @param offset the offset to truncate to.
*
* @return An Kerberos 5 error code.
*
* Store a int32 to storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Store a int64 to storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Store a uint32 to storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Store a uint64 to storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Read a int64 from storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Read a uint64 from storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Read a int32 from storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Read a uint32 from storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Store a int16 to storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Store a uint16 to storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Read a int16 from storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
* Read a int16 from storage, byte order is controlled by the settings
* on the storage, see krb5_storage_set_byteorder().
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
/**
* Store a int8 to storage.
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
/**
* Store a uint8 to storage.
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value to store
*
* @return 0 for success, or a Kerberos 5 error code on failure.
/**
* Read a int8 from storage
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
/**
* Read a uint8 from storage
*
- * @param sp the storage to write too
+ * @param sp the storage to write to
* @param value the value read from the buffer
*
* @return 0 for success, or a Kerberos 5 error code on failure.
{ 15, 3601, "1 hour 1 second" },
{ 16, 3602, "1 hour 2 seconds" },
{ 9, 300, "5 minutes" },
+ { 1, 0, "0" },
};
int
* Convert an UTF-8 string to an UCS4 string.
*
* @param in an UTF-8 string to convert.
- * @param out the resulting UCS4 strint, must be at least
+ * @param out the resulting UCS4 string, must be at least
* wind_utf8ucs4_length() long. If out is NULL, the function will
* calculate the needed space for the out variable (just like
* wind_utf8ucs4_length()).
* @param in an UCS4 string to convert.
* @param in_len the length input array.
- * @param out the resulting UTF-8 strint, must be at least
+ * @param out the resulting UTF-8 string, must be at least
* wind_ucs4utf8_length() + 1 long (the extra char for the NUL). If
* out is NULL, the function will calculate the needed space for the
* out variable (just like wind_ucs4utf8_length()).
* Convert an UTF-8 string to an UCS2 string.
*
* @param in an UTF-8 string to convert.
- * @param out the resulting UCS2 strint, must be at least
+ * @param out the resulting UCS2 string, must be at least
* wind_utf8ucs2_length() long. If out is NULL, the function will
* calculate the needed space for the out variable (just like
* wind_utf8ucs2_length()).
*
* @param in an UCS2 string to convert.
* @param in_len the length of the in UCS2 string.
- * @param out the resulting UTF-8 strint, must be at least
+ * @param out the resulting UTF-8 string, must be at least
* wind_ucs2utf8_length() long. If out is NULL, the function will
* calculate the needed space for the out variable (just like
* wind_ucs2utf8_length()).
# FIXME s/have/has/ or s/reply/replys/
#: lib/krb5/digest.c:365
-msgid "Digest reply have no remote subkey"
+msgid "Digest reply has no remote subkey"
msgstr "Digest-Antwort hat keinen fernen Unterschlüssel."
#: lib/krb5/digest.c:385
msgstr ""
#: lib/krb5/digest.c:365
-msgid "Digest reply have no remote subkey"
+msgid "Digest reply has no remote subkey"
msgstr ""
#: lib/krb5/digest.c:385
msgstr ""
#: lib/krb5/digest.c:363
-msgid "Digest reply have no remote subkey"
+msgid "Digest reply has no remote subkey"
msgstr ""
#: lib/krb5/digest.c:383
projects / thirdparty / samba.git / commitdiff
